VYPR
Moderate severityNVD Advisory· Published Sep 14, 2023· Updated Sep 26, 2024

Vault's Transit Secrets Engine Allowed Nonce Specified without Convergent Encryption

CVE-2023-4680

Description

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/hashicorp/vaultGo
>= 1.6.0, < 1.12.111.12.11
github.com/hashicorp/vaultGo
>= 1.13.0, < 1.13.71.13.7
github.com/hashicorp/vaultGo
>= 1.14.0, < 1.14.31.14.3

Affected products

10

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.